Credit card industry struggles to enforce security standard

Visa, Discover and others are taking a tougher stance on noncompliance as data breaches continue to tarnish the retail industry

Major credit card companies have made it mandatory for merchants and payment processors to comply with stringent network security rules that went into effect in mid-2005. But getting buy-in from the millions of companies that handle credit card information remains elusive.

American Express, Visa International, MasterCard Worldwide and Discover Financial Services are among the backers of the rules known as the Payment Card Industry Data Security Standard (PCI DSS).

“All the merchants are required to comply with the PCI data-security standards or face fines," says Rob Tourt, vice president of network services at Discover. Yet adoption of PCI DSS is not widespread, Tourt admits, though he wouldn’t disclose exact figures.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Major credit card companies have made it mandatory for merchants and payment processors to comply with stringent network security rules that went into effect in mid-2005. But getting buy-in from the millions of companies that handle credit card information remains elusive.

American Express, Visa International, MasterCard Worldwide and Discover Financial Services are among the backers of the rules known as the Payment Card Industry Data Security Standard (PCI DSS).

“All the merchants are required to comply with the PCI data-security standards or face fines," says Rob Tourt, vice president of network services at Discover. Yet adoption of PCI DSS is not widespread, Tourt admits, though he wouldn’t disclose exact figures.

To improve compliance, Discover is getting more aggressive and working individually with certain merchants to make sure they get through the 12-point security plan, which covers firewalls, vulnerability assessment and encryption, among other requirements.

Discover isn’t alone in striving to turn PCI DSS into more than a paper tiger. Visa, which works more directly with acquiring banks than with merchants, also is trying to shore up low merchant adoption numbers.

Visa’s new approach calls for levying punitive fines on banks that fail to get their merchant customers to comply with the PCI standard — while promising multimillion-dollar incentive packages for banks that prod their largest customers into complying.

The broader goal is to stem the hemorrhage of sensitive customer card data lost in recent security incidents, including the data breach acknowledged earlier this month by TJX Companies, which operates retail chains including T.J. Maxx and Marshalls.

The $16 billion Framingham, Mass., retailer won’t divulge whether it complies with PCI DSS, despite the fact that Gary Crittenden, the executive vice president and CFO at American Express, sits on the TJX board.

American Express is one of the five payment-card companies that last September founded the PCI Security Standards Council, which issues the PCI security standard. The other four founding members are: Discover, JCB, MasterCard and Visa.

PCI DSS too tough?

The latest version of the standard, PCI DSS v. 1.1, includes about 200 detailed network and physical security requirements the council’s founders say they want to see become the norm for protecting payment-card information.

“We want to work together to drive things forward," says Seana Pitt, chair of the PCI Security Standards Council and a vice president at American Express. “This is the first time the five competing brands have come together."

The standard also includes provisions for "compensating controls" that let organizations propose alternative solutions if they can’t reasonably meet a particular requirement, such as using encryption to render cardholder data unreadable.

“For older retailers with mainframe systems from the ’70s, this may be difficult to do," Pitt says. “If you have a business or technical challenge, the compensating control is a way to demonstrate how to secure that data through alternative methods."